Full Report
Cǎlin Georgescu went from polling around 1% a month before the Romanian presidential election to winning the first round
Analysis Summary
# Incident Report: Foreign Influence Campaign Targeting Romanian Election via Social Media Manipulation
## Executive Summary
A coordinated, foreign-backed influence campaign, primarily leveraging bot and human networks on TikTok, artificially boosted the visibility of far-right, pro-Kremlin candidate Cǎlin Georgescu ahead of Romania's presidential election first round. While this propaganda effort significantly skewed the pre-election perception, an associated, separate cyberattack against the electoral infrastructure only managed to compromise a non-critical Geographic Information System (GIS) mapping server. Response involved international cooperation (TikTok), regulatory action (EU DSA Retention Order), and a formal criminal investigation into campaign finance violations.
## Incident Details
- Discovery Date: Shortly after the November 24 first-round vote, confirmed by CSAT declassification.
- Incident Date: Began approximately two weeks before the November 24 first-round election.
- Affected Organization: Romanian Electoral Process/Social Media Ecosystem (TikTok, Telegram).
- Sector: Political/Electoral/Information Warfare.
- Geography: Romania.
## Timeline of Events
### Initial Access (Information Campaign Initiation)
- Date/Time: Approximately two weeks before November 24.
- Vector: Coordinated social media amplification on TikTok and Telegram.
- Details: Over 25,000 dormant accounts began posting content supporting Georgescu.
### Lateral Movement
- Details: Attackers used sophisticated behavioral techniques: bots used identical hashtags/emoji strings to manipulate TikTok algorithms; bots utilized "unique" IP addresses to evade standard cluster detection. Influencers were paid via Telegram channels to boost content.
### Data Exfiltration/Impact
- Data Spread: Successful manipulation of public perception, leading to Georgescu receiving 22.94% of votes, vastly exceeding pre-election polls (1%).
- Cyber Impact (Separate incident): Attackers compromised a Geographic Information System (GIS) mapping server linked to the electoral registry but failed to breach core election infrastructure.
### Detection & Response
- Detection: Romanian intelligence services (SRI) and CSAT identified the coordinated activity. TikTok also identified two clusters, one linked to Sputnik.
- Response Actions: TikTok suspended associated activity clusters. The European Commission issued the first-ever DSA retention order against TikTok. Romanian prosecutors launched an investigation into Georgescu's campaign for money laundering and election violations.
## Attack Methodology
- Initial Access: Coordinated content deployment via a large network of suspected bot and human-operated TikTok accounts.
- Persistence: Sustained content generation across multiple years-old, seemingly unique accounts.
- Privilege Escalation: N/A (Information Operations, not system intrusion).
- Defense Evasion: Using distinct IP addresses for bot accounts to bypass clustered behavior monitoring systems.
- Credential Access: N/A.
- Discovery: N/A (Active influence operation).
- Lateral Movement: Use of shared strings (hashtags, emojis) to boost amplification across the bot network.
- Collection: N/A (Focus on content dissemination).
- Exfiltration: N/A (Focus on influence/ingress).
- Impact: Successful manipulation of public opinion and electoral perception surrounding a specific candidate.
## Impact Assessment
- Financial: Unknown, but Romanian prosecutors are investigating campaign finance violations (Georgescu claimed zero Romanian lei spent).
- Data Breach: No confirmed mass data breach of voter records, though an associated cyber-attack accessed a GIS mapping server.
- Operational: Significant distortion of the pre-election dynamic; public disagreement between Romanian officials and TikTok regarding compliance and content moderation.
- Reputational: Damage to the perceived integrity of the information environment leading up to the election.
## Indicators of Compromise
- Network indicators: IP addresses associated with bot clusters (specific IPs not provided/defanged).
- File indicators: N/A (Operation focused on platform manipulation).
- Behavioral indicators: Over 25,000 accounts posting similar content starting two weeks before the election; coordinated use of identical hashtag/emoji strings; evidence suggesting connection to Russian news agency Sputnik.
## Response Actions
- Containment measures: TikTok suspended two clusters of coordinated activity.
- Eradication steps: N/A (Information operation eradication is complex; focus on platform suspension).
- Recovery actions: European Commission issued a DSA retention order compelling TikTok to preserve evidence. Romanian prosecutors initiated a formal criminal investigation.
## Lessons Learned
- The rapid rise of influence campaigns based on algorithmic manipulation (bots using unique IPs and synchronized signals) poses a significant threat to democratic processes.
- Partnerships with platforms like TikTok are critical, but platform intervention speed and geographic scope (blocking content only nationally vs. internationally) can be inadequate or flawed.
- Foreign influence, potentially linked to Russian actors (Sputnik connection), remains a consistent threat vector in Eastern European elections.
## Recommendations
- Governments and platforms must collaborate to enforce proactive detection of synchronized campaigns employing unique IP evasion tactics.
- Implement stricter regulatory oversight (leveraging mechanisms like the DSA) to ensure social media companies rapidly label, label, or remove clear disinformation designed to influence electoral outcomes.
- Enhance cybersecurity defense for electoral adjacent systems (like GIS mapping servers) against secondary, diversionary cyber-attacks occurring concurrently with information operations.